- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-20-2022 08:48 AM
Hello, i have question about PBF Using ECMP.
We have 3 ISP and using ECMP Setting with weight round robin and Symetric Return Settings
ISP A > 200
ISP B > 100
ISP C > 50
NAT we set like this
All User > ISP A
Using PBF for some IP Segment
Segment A to ISP A
Segment B to ISP B
Segment C to ISP C
But we have some problem link below :
When we check the traffic monitor, we can see that IP Segment A is still Going to ISP B and ISP C
When we disable ECMP, setting the ISP metric in virtual routing to 10,20,30, the Globalprotect only up for ISP that have a low metric.
For some reason, some users can't access/maybe have a slower access to specific website.
Security policy for now we set to Allow All.
Is there any solution to avoid IP Segment A going to ISP B and C using this ECMP Method?
06-09-2022 02:09 AM
I may be missing the point, but why do you enable ECMP if you only set NAT for ISP A and then set PBF policies to send traffic to a certain ISP?
i bet you're running into some sort of conflict where ECMP is bouncing users off to ISP B+C (because you defined ECMP)
06-12-2022 07:54 PM
For first deployment we was setting to ECMP because they want to utilize all the WAN Links, after few weeks our user had a problem with routing,so we check the routing and see if any problem but we don't find that.
So we use the NAT and PBF to specify some segment to specific WAN link, and let the other segment use the ECMP Configuration. I Check another threat in palo/others vendors, i think this is the behaviour the ECMP configuration, balancing the traffic, even we specify the link and when the link is higher than the other, the configuration is balancing the link.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!